T2
FHFA
Medium Confidence
Guidance
Oversight of Third-Party Provider Relationships
Enhanced third-party risk management oversight requirements for FHFA-supervised entities
HIGH
Impact Level
Top: third party risk (5)
Classification
- Regulatory Program
- FHFA Third-Party Risk Management
- Doc Type
- Guidance
- Effective Date
- 2026-09-29 (est.)
- Days to Action
- 75
- Comment Deadline
- —
- Published
- —
Urgency Basis
Advisory bulletin guidance typically requires implementation within 60-90 days of publication
Operational Context
Flags
Examination Focus
Board Reporting Required
Systems Change Required
Legal Review Required
Affected Functions
Risk Management
Vendor Management
Compliance
Procurement
Legal
Operations
Institution Applicability
Federal Home Loan Banks
Fannie Mae
Freddie Mac
Fhfa-Supervised Entities
Impact by Category
Compliance
4
Operational
4
Data Governance
3
Model Risk
2
Reporting & Disclosure
3
Capital & Liquidity
1
Consumer Protection
3
Third-Party Risk
5
Key Requirements
- Establish comprehensive third-party risk management framework
- Implement enhanced vendor due diligence and selection processes
- Develop robust contract management and oversight protocols
- Create ongoing monitoring and performance measurement systems
- Maintain detailed documentation of third-party relationships
- Establish escalation procedures for third-party issues
- Conduct regular risk assessments of material third-party providers
Scoring Rationale
High impact reflects comprehensive third-party oversight requirements affecting multiple business functions. Third-party risk management requires enterprise-wide framework implementation with significant operational changes. Compliance burden is substantial given documentation and ongoing monitoring requirements.
AI Analysis Disclosure — This record, including its scores, impact assessments, and Advisory
Assessment (impact, risk, and recommended actions), was generated by an AI model and may contain errors or
omissions. The Advisory Assessment is a starting point for analysis, not a substitute for professional judgment.
Effective dates, applicability determinations, impact assessments, and any recommended actions should be
independently verified against primary regulatory source documents and reviewed by qualified compliance or legal
personnel before taking compliance action. This output does not constitute legal or compliance advice.